P
US12506715B2ActiveUtilityPatentIndex 52

Network authentication toxicity assessment

Assignee: QOMPLX LLCPriority: Oct 28, 2015Filed: Jun 12, 2023Granted: Dec 23, 2025
Est. expiryOct 28, 2035(~9.3 yrs left)· nominal 20-yr term from priority
Inventors:CRABTREE JASONKELLEY RICHARD
H04L 9/3213H04L 9/0894H04L 63/145H04L 63/0815H04L 63/0807H04L 63/1425H04L 63/1433H04L 9/3239H04L 9/3236H04L 63/0428
52
PatentIndex Score
0
Cited by
83
References
20
Claims

Abstract

A system and method for scoring and enforcing authentication standards that actually enable zero trust network security principles when combined with stateful authentication object tracking, authentication object manipulation and forgery detection, and assessment of authentication and identity attack surface. The methodology involves gathering all authentication objects issued by a network, storing the authentication objects in a centralized location for use in stateful deterministic authentication object tracking, scoring the completeness of the authentication observations, assessing the quality of the authentication observations, and assigning organization-specific penalty functions.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A system for computer network authentication toxicity assessment, comprising:
 a computing device comprising a memory, a processor, and a non-volatile data storage device;   a centralized authentication object database stored on the non-volatile data storage device;   an authentication object aggregator comprising a first plurality of programming instructions stored in the memory which, when operating on the processor, causes the computing device to:
 gather authentication objects from one or more domain controllers; and 
 store the authentication objects in the centralized authentication object database; and 
   a scoring engine comprising a second plurality of programming instructions stored in the memory which, when operating on the processor, causes the computing device to:
 determine the total amount of authentication objects gathered; 
 determine what portion of the authentication objects are bad authentication objects; 
 output a network toxicity report comprising the number of bad authentication objects as a proportion of the total amount of authentication objects gathered; and 
 where the proportion meets or exceeds a threshold, issue a warning to a network administrator that the network's toxicity has exceeded the threshold. 
   
     
     
         2 . The system of  claim 1 , wherein the bad authentication objects comprise bad authentication objects selected from the list of known fraudulent authentication objects, suspected fraudulent bad authentication objects, and authentication objects issued by the New Technology LAN Manager (NTML) network security protocol. 
     
     
         3 . The system of  claim 1 , wherein the scoring engine is further configured to perform a completeness analysis of the gathered objects comprising a determination of the number and type of authentication objects actually collected versus the number and type of authentication objects expected to be collected. 
     
     
         4 . The system of  claim 1 , wherein the scoring engine is further configured to determine what proportion of authentication objects use a weak network security protocol or configuration. 
     
     
         5 . The system of  claim 1 , wherein the scoring engine is further configured to apply organization-specific or network-specific bonuses and penalties to the network toxicity report. 
     
     
         6 . The system of  claim 1 , wherein the authentication object aggregator is further configured to cause the computing device to:
 receive a first authentication object requesting access to a first resource of the computer network;   identify the purported issuance of the first authentication object's from information contained in the first authentication object;   search the centralized authentication object database for a copy of the purported issuance for the first authentication object;   approve access to the first resource where the copy of the purported issuance is found in the centralized authentication object database; and   deny access to the first resource where the copy of the purported issuance is not found in the centralized authentication object database.   
     
     
         7 . The system of  claim 1 , wherein the authentication object aggregator is further configured to:
 store a complete record of every authentication object issued by the network in the centralized authentication object database;   track each presentation of an authentication object for access to network resources; and   deterministically identify forged authentication objects by detecting when a presented authentication object lacks a corresponding issuance record in the centralized authentication object database.   
     
     
         8 . The system of  claim 1 , wherein the scoring engine employs stateful deterministic detection that verifies each authentication object against issuance records in the centralized authentication object database and heuristic detection that analyzes authentication patterns and behaviors to identify anomalous authentication activity. 
     
     
         9 . The system of  claim 1 , wherein the scoring engine applies protocol-specific penalties when calculating the network toxicity report, comprising negative scoring for authentication objects using NTLM protocol, negative scoring for authentication objects using weak encryption including RC4, positive scoring for authentication objects using Kerberos with stateful validation, and positive scoring for authentication objects using SAML with stateful validation. 
     
     
         10 . The system of  claim 1 , wherein the authentication object aggregator is further configured to continuously gather authentication objects in real-time as they are issued and used within the network wherein the centralized authentication object database maintains a real-time ledger of all valid authentication credentials and the scoring engine provides continuous monitoring of network toxicity levels to enable detection of authentication-based attacks. 
     
     
         11 . A method for computer network authentication toxicity assessment, comprising the steps of:
 storing a centralized authentication object database stored on a non-volatile data storage device of a computing device comprising a memory, a processor, and the non-volatile data storage device;   using an authentication object aggregator operating on the computing device to:
 gather authentication objects from one or more domain controllers; and 
 store the authentication objects in the centralized authentication object database; and 
   using a scoring engine operating on the computing device to:
 determine the total amount of authentication objects gathered; 
 determine what portion of the authentication objects are bad authentication objects; 
 output a network toxicity report comprising the number of bad authentication objects as a proportion of the total amount of authentication objects gathered; and 
 where the proportion meets or exceeds a threshold, issue a warning to a network administrator that the network's toxicity has exceeded the threshold. 
   
     
     
         12 . The method of  claim 11 , wherein the bad authentication objects comprise bad authentication objects selected from the list of known fraudulent authentication objects, suspected fraudulent bad authentication objects, and authentication objects issued by the New Technology LAN Manager (NTML) network security protocol. 
     
     
         13 . The method of  claim 11 , further comprising the step of configuring the scoring to perform a completeness analysis of the gathered objects comprising a determination of the number and type of authentication objects actually collected versus the number and type of authentication objects expected to be collected. 
     
     
         14 . The method of  claim 11 , further comprising the step of configuring the scoring engine to determine what proportion of authentication objects use a weak network security protocol or configuration. 
     
     
         15 . The method of  claim 11 , further comprising the step of configuring the scoring to apply organization-specific or network-specific bonuses and penalties to the network toxicity report. 
     
     
         16 . The method of  claim 11 , further comprising the step of configuring the authentication object aggregator to:
 receive a first authentication object requesting access to a first resource of the computer network;   identify the purported issuance of the first authentication object's from information contained in the first authentication object;   search the centralized authentication object database for a copy of the purported issuance for the first authentication object;   approve access to the first resource where the copy of the purported issuance is found in the centralized authentication object database; and   deny access to the first resource where the copy of the purported issuance is not found in the centralized authentication object database.   
     
     
         17 . The method of  claim 11 , further comprising the steps of configuring the authentication object aggregator to:
 store a complete record of every authentication object issued by the network in the centralized authentication object database;   track each presentation of an authentication object for access to network resources; and   deterministically identify forged authentication objects by detecting when a presented authentication object lacks a corresponding issuance record in the centralized authentication object database.   
     
     
         18 . The method of  claim 11 , wherein the scoring engine is further used to employ stateful deterministic detection that verifies each authentication object against issuance records in the centralized authentication object database and heuristic detection that analyzes authentication patterns and behaviors to identify anomalous authentication activity. 
     
     
         19 . The method of  claim 11 , wherein the scoring engine is further used to apply protocol-specific penalties when calculating the network toxicity report, comprising negative scoring for authentication objects using NTLM protocol, negative scoring for authentication objects using weak encryption including RC4, positive scoring for authentication objects using Kerberos with stateful validation, and positive scoring for authentication objects using SAML with stateful validation. 
     
     
         20 . The method of  claim 11 , further comprising:
 continuously gathering authentication objects in real-time as they are issued and used within the network;   maintaining a real-time ledger of all valid authentication credentials in the centralized authentication object database; and   providing continuous monitoring of network toxicity levels using the scoring engine to enable detection of authentication-based attacks.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.